000021313 - Policy of forcing a new user to reset password does not work for users added outside of ClearTrust admin GUI

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021313
Applies ToRSA ClearTrust 5.0.1
RSA ClearTrust Data Adapter for iPlanet
IssuePolicy of forcing a new user to reset password does not work for users added outside of ClearTrust admin GUI
When a new user logs in the first time, the user is not prompted to change password and is given access to the entitled protected resource. This was in contradiction to the password policy set for the owning administrative group, i.e. the ClearTrust Default Administrative Group that owns the user and resources was configured with 'Require Password Reset' feature enabled.
CauseUsers created directly in iPlanet Directory Server (and not through the Cleartrust Entitlements Manager) do not have the objectclass ctscUserAuxClass and the related ctsc attributes required for enforcing ClearTrust password policy
ResolutionTo correct this issue, update the user objects and add the required objectclass ctscUserAuxClass and attributes with valid values to ensure that the ClearTrust password policy is applied correctly to all users. To find out valid values for those attributes, create a new user through ClearTrust Entitlements Manager (ClearTrust admin GUI) and inspect the user object through iPlanet admin interface.

Specifically, for the above problem, the user object needs to have the attribute ctscUserKeyWords (belonging to ctscUserAuxClass objectclass) with one or more values of "NotExpired", "NormalExpiration", "NormalForcedExpiration", "NewUserExpiration", "Forced", "Password Policy", etc. With the above-mentioned configuration, a new user object created via ClearTrust admin GUI would contain the values "NewUserExpiration" and "Forced" in the attribute ctscUserKeyWords. If 'NewUserExpiration' is set, the new user is forced to change password when logging in the first time.

Note that if any users with missing ctscUserAuxClass are edited through the ClearTrust Entitlements Manager, the ctscUserAuxClass objectclass and related attributes will be automatically added to the user object.
WorkaroundThe 'Default Administrative Group' was configured through ClearTrust admin GUI to require new users to reset their passwords on their first login (the 'Require Password Reset' was checked)
New users were added by importing an ldif to iPlanet Directory Server (datastore for ClearTrust)
Legacy Article IDa17610